Back in 2018 I wrote this:
Picture the scene: You’ve just been on a wonderful vacation it’s been a great time to relax and do something you love, but now you are walking into your place of work. Waiting for you is a mountain of emails and you want to get right to it. You take out your iPad, Android tablet or open up your laptop and turn it on. Then it hits you, those words you dread: “Your password has expired”. Today is the last day you want to be changing your password. You’ve got enough to think about, but you have little choice. You wonder whether you should have reset your password before you went on vacation but you’re not sure that would have made any difference.
After fighting with the complicated set of rules that define what your password can be, you eventually pick a new one. For the rest of the day, and the next few, you try to remember to type the new password rather than the old one. I characterise this as The Four Ages of Remembering a New Password. Recently, the UK governments IT security advisor, the CESG, reiterated and gave further explanation for advice it gave in September 2015:
Regular password expiry is a common requirement in many security policies. However, in CESG’s Password Guidance published in 2015, we explicitly advised against it. (Read more: The problems with forcing regular password expiry)
Scheduled password expiry has been a dogma of enterprise IT security for many decades. It’s so embedded into the fabric of the IT landscape that it sounds scandalous for an organization as esteemed as the CESG to challenge it, but challenge it they have. The argument that they make, in summary, is that the “usability costs” of regular password changes makes people adopt mechanisms to cope with the changes that themselves lead to other security vulnerabilities:
It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.
The CESG isn’t recommending that organizations don’t worry about password vulnerabilities; they are recommending that organizations use other measures that do not involve scheduled password expiry and have a lower “usability cost.” They are proposing measures that they believe match better to the modern vulnerabilities that passwords experience.
I concluded with these words:
Whilst the approach of regular password expiry is embedded in corporate IT, it isn’t in places where you might expect it to be if it were such a good approach. My bank doesn’t ask me to change my password regularly; it makes sure that I have a complicated password that I can understand by making me use a password and a pin. For sensitive transactions, it makes me use two-factor authentication. Amazon doesn’t make me change my password regularly. When I log on to twitter from a new device, it sends me a message to let me know and to confirm that it’s really me. All of these approaches have a far lower “usability cost” than the regular password change, and it’s those approaches that the CESG is advising UK government organisations to adopt. It really is time to stop regular password expiry.
In the two years since I wrote my post, and the 5 years since the initial advice was given, little has changed in most corporate security environments. Challenging the dogma of password expiry is a short walk to a frustrating day. Many organisations now sanction password stores to alleviate the problem of multiple passwords and to ease the pain of password expiry, this doesn’t fix the problem it just makes it a little easier. Ironically, few of these password stores require the individual user to change their password.
In these days of increased home working many organisations have seen their password and security management challenged by the need to keep their people working. Perhaps this is another area where a crisis precipitates a change that seemed far too difficult in normal times.
It’s worth noting here that the CESG no longer exists and has since been replaced by the NCSC is the UK, but the advice hasn’t changed, although I did have to update the links in the above.
Other organisations have given the same and similar advice:
- NIST: Digital Identity Guidelines
- Microsoft: Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903
and for balance someone who’s standard still says every 90 days:
I am hoping for the days when we look back on passwords as a strange thing from our past, a bit like flared jeans, but I suspect that I’m not going to see it in my lifetime 😉.
Header Image: This is the view from Martindale towards Ulswater.
Graham Chastney 
Ask for the reason and its “to be secure, stop hackers”.
Ask how will they know which username to use and its “well, they can easily see from linkedIn who works here… so they can guess the usernames”
Ask why we use real names as usernames for logging into corporate systems and its “………..”
LikeLiked by 1 person
I remember this as one of the first real disagreements that I had with Aerospace security, when I still worked for them. It was one of the few battles that I ‘won’, although I got nowhere near the relaxed policy that I was arguing for. It’s one of many ways that dedicated security teams reduced security through their blinkered view of reality
LikeLiked by 1 person